Like all major infrastructure, the nation’s power grid is subject to an array of threats, from naturally caused phenomena such as extreme weather to vandalism, domestic and foreign terrorism, and insider risks that jeopardize reliability, safety and data security. The stakes are high; our response to an event affects our customers, our reputation and the reliability of the power grid.
AEP continually evaluates cyber and physical security risks enterprise-wide using our risk management process, providing a comprehensive approach to understanding and managing these risks in relation to other enterprise risks. It also enables decision-making based on the level of acceptable risk, as well as our priorities and resources.
The harsh reality of the digital world is that our infrastructure is under constant threat from cyber and physical attacks. Third-party products and services create new and growing risk to the power grid, prompting new regulations to protect it. As the threats become more sophisticated and far-reaching, it is a constant challenge to achieve the right level of risk management. AEP’s comprehensive security strategy – known as “Defense in Depth” – assumes a broader range of possibilities, such as physical theft, unauthorized access to data, and incidental threats that do not specifically target protected systems or assets.
- Cyber & Physical Security
Adoption of new technologies, such as automation and digitization, opens the door to new threats and security risks to the electric power grid. New mobile apps and services that we develop or purchase for customer use, along with our own increasing reliance on cloud-based programs, increases external connectivity to our network.
The pandemic caused us to quickly transition our workforce to a remote work environment in March 2020. As a result, the number of employee users remotely connecting to our network increased tenfold. Fortunately, we had a well-designed and secure remote connectivity architecture, which easily supported the additional remote connections without introducing significant risk. Our security access program monitors and manages these connections while providing controlled access that allows us to get our work done. We consider and test possible ways attackers could breach our systems. It is not a matter of whether it will occur but when. We are identifying and implementing the right defenses to protect AEP’s networks and data. Our strategy includes preparation for recovery if a breach occurs, through policies, procedures and technology, as well as through educating our workforce about the growing threat.
Cloud computing has created new opportunities for us, and as we expand and rely upon these capabilities, we must mitigate the corresponding cybersecurity risks. We have aligned closely with our Information Technology Cloud Center of Excellence to establish a proactive approach to address security risks associated with the cloud. Our Cloud Security focus group leads our efforts to establish a strategy for various forms of cloud computing consistent with the Cloud Security Alliance (CSA) framework to develop a security roadmap. This will prove helpful as the North American Electric Reliability Corporation (NERC) is considering updating the NERC CIP standards to include the use, associated risks, and controls and oversight for virtualization and cloud computing services in association with Bulk Electric System (BES) operations.
We continue to be a leader in cyber security through participating in – and leading – industry and regulator-hosted discussions. Our collaboration with the National Governors Association (NGA) allows us to improve our coordination with government in responding to natural disasters and to physical and cyber risks or attacks. We are participating in workshops for states and the National Guard due to their pivotal role in disaster response. We also partner with private sector companies and government agencies to secure the grid.
We learn from and take actions based on real-world events. Our Defense in Depth approach to cyber and physical security allows us to deal with threats in real time. These strategies include proactive threat intelligence, monitoring, alerting and emergency response; employee education; forensic analysis; disaster recovery; and criminal activity reporting. Through rapid notification and response when attacks and disasters are underway, we can reduce the impacts of cyberattacks and avoid or mitigate the damage before experiencing the full impact of the threat.
Every two years, we test our operational response to potential power grid vulnerabilities or emergencies through GridEx exercises developed by NERC. These exercises complement our annual exercises, allowing us to practice and prepare our response to national level emergency scenarios in a controlled environment. This ensures we have the proper policies and procedures in place should an event occur. Through this controlled exercise, we can see how our policies and procedures are helping us respond to various events ranging from cyber and physical attacks to loss of our situational awareness tools. NERC’s next national GridEx exercise is scheduled to take place in late 2021.
New physical threats emerged in 2020 due to social and civil unrest, including threats of vandalism and domestic terrorism to AEP’s facilities and substations. Several AEP-operated buildings were located near some of the demonstrations that took place in 2020. We actively monitored potential risks, coordinated with local, state and federal law enforcement and other intelligence sources, and put safety protocols in place. Our response to an event affects the safety of our employees and customers, our reputation and the reliability of the power grid.
- Security Governance
A cyberattack against critical electric utility infrastructure could be devastating to the country’s stability and economy. If successful, an attack could disable the nation’s transportation, utilities, telecommunications, and financial infrastructure. This is why strong governance, oversight and regulations are vital to the strength and resilience of our bulk electric system (BES).
We have a centralized enterprise security program focused on managing security risk across the entire system. The Chief Security and Privacy Officer leads an interactive monthly CEO Security briefing, which includes the CEO and other top executives at AEP. In addition, the cyber and physical security of the BES is highly regulated by the federal government through NERC CIP Reliability Standards. We are routinely audited for compliance with federal standards in both cyber and physical security. In addition, AEP’s Board of Directors and the Audit Committee review our enterprise cyber and physical security efforts.
The Chief Security and Privacy Officer is also the NERC CIP Senior Manager, which helps ensure one approach to NERC CIP compliance and compliments the enterprise security program. Our NERC compliance governance structure was developed specifically to respond to the current compliance environment and provides the direction, agility and organizational support needed to implement an industry-leading NERC compliance program. Learn more in the NERC Compliance section.
To ensure our enterprise-wide security controls are comprehensive, effective and in compliance with best practices and regulatory requirements, we have established a robust, collaborative security policy management program that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our resulting policies and standards are jointly developed with AEP’s business areas, through the Enterprise Security Advisory Council, to maximize adoption and implementation of standard controls, thereby reducing security risk to AEP.
We classify all BES facilities based on their criticality to determine the level of physical security needed. This approach allows us to design security controls for new infrastructure from the start, building the costs into capital projects as needed. It also allows us to be more proactive with new and existing infrastructure while balancing risks with mitigation solutions.
- Supply Chain Security
Third-party risk is a major challenge to power utilities as malicious actors have targeted equipment, software and service vendors with an increasing number of attacks. As we look to expand our renewable energy portfolio, additional security controls will be needed to monitor and manage the growing third-party risks to our operations.
Our Third-Party Risk Governance Committee consists of our Chief Security Officer, Chief Procurement Officer, Chief Risk Officer, Chief Information Officer and Legal Counsel. This committee reviews the performance of our third-party risk program, provides guidance and approves changes to the program and assessment processes. All primary contracts must abide by our security requirements.
In December 2020, the Secretary of Energy signed Executive Order 13920 prohibiting utilities that supply critical defense facilities from procuring certain equipment from the People’s Republic of China. The order singles out specific electric equipment that poses risk to the power grid, the security or resilience of critical infrastructure, the economy, national security, or the safety and security of Americans. In response, we are identifying third-party entities that have international involvement to ensure proper controls are in place.
Following approval from the Federal Energy Regulatory Commission (FERC), NERC has expanded the CIP Reliability Standards to require utilities to develop a plan for managing cyber-related risks within their supply chain. The new standards require utilities to assess vendor security controls, verify the authenticity of the source of software downloads and integrity of that software, and establish better controls over vendor remote access to the BES.
In 2019, we joined Fortress Information Security in launching the Asset-to-Vendor Network (A2V) for Power Utilities, a joint venture to promote information sharing among electric utilities and reduce costs associated with supply chain security assessments. This network collaborates to provide results of assessments of vendor security practices with the goal of reducing risk to the energy critical infrastructure. We actively support the growth of the program through generation of ideas for new data elements, client development and contribution of assessment data to the exchange. Additionally, A2V is in conversations with federal government partners about how to more broadly expand the positive impact of the program on the utility industry.
- Security Awareness & Training
Our most important partners in protecting AEP’s cyber and physical security are our employees. Our Security Awareness program reduces risk by promoting security best practices and providing awareness education to our employees and contractors. The success of our program depends on constant communication and reinforcement. Our mission is to protect AEP’s assets and information, enable the business to work securely and efficiently, and educate employees and contractors about their responsibility to keep AEP secure.
We leverage Security Ambassadors and local Champions to support our employee security awareness efforts and training:
- Training covers a wide variety of topics such as policies and standards, domestic violence, workplace aggression, personally identifiable information (PII), password protection and active shooter situations.
- All AEP employees and contractors are assigned annual Security Awareness Training, which covers issues such as tailgating into restricted areas, access management, phishing and other areas that affect day-to-day security.
- New employees receive training to educate them on their role in protecting the grid as well as information about AEP’s security standards and tips to stay safe online.
- We provide NERC CIP Cyber Security Training for employees and supervisors with NERC CIP access. We also provide training on our NERC CIP Information Protection Program.
Learn more about our employee training for workforce safety and security.
- Insider Threat
Threats to the grid can also come from within. In response, we established an Insider Protection and Prevention Program (IP3). To ensure best practices, we use insights and recommendations from security experts to develop a risk-based approach that continually identifies, assesses and ultimately protects our critical assets from insider threats. All employees, contractors and other business partners that have access to any critical assets, including personnel, facilities, information, equipment, networks and systems, are included. A cross-functional executive team composed of Enterprise Security, Human Resources, Business Ethics and Compliance and Legal oversees the program.
- Phishing Accountability
One of our greatest threats comes from phishing attacks on our system. Phishing is a form of attack in which malicious emails seek to obtain sensitive information such as user names, passwords, credit card details and other corporate data. Cyber criminals know that humans are the weakest link when it comes to protecting corporate data, and are continuously creating more sophisticated phishing emails to exploit this weakness. In early 2020, we adopted a new Phishing Accountability policy to educate employees on how to better identify risky emails and to hold employees accountable for doing so. We test our employees’ ability to detect malicious emails with periodic phishing simulations. Employees who fail a phishing simulation receive further education and training. Continued failure to identify risky emails could also result in disciplinary action.